base/files/unified2/main.bro

Unified2
Namespace:Unified2
Imports:base/utils/dir.bro, base/utils/paths.bro
Source File:/scripts/base/files/unified2/main.bro

Summary

Options

Unified2::classification_config: string &redef The classification.config file you would like to use for your alerts.
Unified2::gen_msg: string &redef The gen-msg.map file you would like to use for your alerts.
Unified2::sid_msg: string &redef The sid-msg.map file you would like to use for your alerts.
Unified2::watch_dir: string &redef Directory to watch for Unified2 records.
Unified2::watch_file: string &redef File to watch for Unified2 files.

Redefinitions

Log::ID: enum  
fa_file: record &redef  

Events

Unified2::alert: event Reconstructed “alert” which combines related events and packets.
Unified2::log_unified2: event The event for accessing logged records.

Detailed Interface

Options

Unified2::classification_config
Type:string
Attributes:&redef
Default:""

The classification.config file you would like to use for your alerts.

Unified2::gen_msg
Type:string
Attributes:&redef
Default:""

The gen-msg.map file you would like to use for your alerts.

Unified2::sid_msg
Type:string
Attributes:&redef
Default:""

The sid-msg.map file you would like to use for your alerts.

Unified2::watch_dir
Type:string
Attributes:&redef
Default:""

Directory to watch for Unified2 records.

Unified2::watch_file
Type:string
Attributes:&redef
Default:""

File to watch for Unified2 files.

Types

Unified2::Info
Type:

record

ts: time &log

Timestamp attached to the alert.

id: Unified2::PacketID &log

Addresses and ports for the connection.

sensor_id: count &log

Sensor that originated this event.

signature_id: count &log

Sig id for this generator.

signature: string &optional &log

A string representation of the signature_id field if a sid_msg.map file was loaded.

generator_id: count &log

Which generator generated the alert?

generator: string &optional &log

A string representation of the generator_id field if a gen_msg.map file was loaded.

signature_revision: count &log

Sig revision for this id.

classification_id: count &log

Event classification.

classification: string &optional &log

Descriptive classification string.

priority_id: count &log

Event priority.

event_id: count &log

Event ID.

packet: string &optional &log

Some of the packet data.

Attributes:

&log

Unified2::PacketID
Type:

record

src_ip: addr &log

src_p: port &log

dst_ip: addr &log

dst_p: port &log

Attributes:

&log

Events

Unified2::alert
Type:event (f: fa_file, ev: Unified2::IDSEvent, pkt: Unified2::Packet)

Reconstructed “alert” which combines related events and packets.

Unified2::log_unified2
Type:event (rec: Unified2::Info)

The event for accessing logged records.

Copyright 2016, The Bro Project. Last updated on December 12, 2017. Created using Sphinx 1.5.2.